A network device such as a web server, a firewall computer, etc., can be targeted by an attacker to disrupt or even prevent the operation of the network device. For example, an attacker may install a computer virus and/or spyware to damage and/or access protected information. One or more attackers may also launch a denial of service (DoS) or distributed denial of service (DDoS) attack. In general, in a DoS/DDoS attack, a targeted network device is flooded with requests so that the resources of the network device, such as memory, communications and/or data processing subsystems, are overwhelmed. This can adversely affect, e.g., significantly slow down or even shutdown one or more services (e.g., rendering content via a network, performing Internet search, domain name search, performing a financial transaction, etc.), provided by the network device to legitimate users.
Several techniques that can detect and/or mitigate DoS/DDoS and other types of attacks typically require monitoring a sequence of packets arriving at a network device for processing thereby. The sequence can represent one or more flows, where different flows may relate to different types of service requests, service requests from different users, responses to one or more services requested by the network device, etc. In general, the arriving packets are analyzed to decipher patterns that can be used to distinguish the packets sent by one or more attackers from the packets sent by one or more legitimate users. The packets identified/designated as transmitted by an attacker may be dropped, i.e., such packets are not allowed to be processed by the network device. This general approach, however, presents some challenges.
First, the rate at which packets arrive at a typical network device, and at a firewall computer in particular, is so large that the analysis of the packets for deciphering patterns is computationally expensive, generally requiring millions of computations per second. Second, even if significant processing power is allocated for the analysis, aggressively designating a packet as transmitted by an attacker can increase a false positive rate, i.e., packets sent by legitimate users may be dropped which, in effect, is a disruption of the service(s) provided by the network device. A relatively less aggressive analysis, however, can increase a false negative rate, allowing packets sent by one or more attackers to reach the network device, thereby causing harm thereto.